Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

6.
How do the malwarians evade
sandbox analysis?
Look for indicators of a VM
• VM Tools
• Registry keys
• Hardware (is virtual not real)
Look for ‘Recent Files’
• Have you opened several misc. documents
Processor related indicators
• Some API calls take MUCH longer on a VM
MalwareArchaeology.com

24.
Simple Manual Analysis
• In 1 minute or less I was able to tell this Word
DOC is malicious with very basic analysis
– 7Zip, Strings & OfficeMalScanner
• To be certain the file is bad, we could
detonate it in a lab or an online solution
• Let’s see what the fancy pants Cloud and
Sandbox solutions say about it
• By the way, auto processing your documents
to the cloud may contain PII ;-(
MalwareArchaeology.com

31.
Artifacts / Indicators
• What do we want to get out of any analysis?
– URL’s What websites were visited
– IP’s Communications
– Filenames What files were added
– Directories used Where does it live
– Autoruns used How does it launch
– Config changes What changed
– Metadata Details
– Signed Digital Signatures
– Behavior What actually happened
– Network info Traffic behavior - Net Flow
MalwareArchaeology.com

32.
Artifacts / Indicators
• Why do we want this data?
• We need to know who else got infected
– The IP’s and URL’s
• What was added
• What was changed
• So we know whether to
– Re-image
– IF we can clean it up
MalwareArchaeology.com

43.
Sandbox or Manual?
• Paid solutions work better than Free ones
• Many samples failed to execute due to VM aware
• Not as much detail as you can get yourself (IMHO)
• You CAN do as good a job, or better as sandbox
solutions
• Sandbox solutions are good for multiple samples after
you have evaluated one using manual analysis so you
can compare results
• You may, or will have to super harden VM sandboxes to
make them look and act like a normal system
MalwareArchaeology.com

45.
Free Edition
MalwareArchaeology.com
• Audit your settings – Do you comply?
• Harvest security relevant log data
• Whitelist log events by IP, Cmd Line, Process and
File / Registry audit locations
• Perform a full File Baseline of a system
• Compare a suspect system to a Baseline or Dir
• Perform a full Registry snapshot of a system
• Compare a suspect system to a Reg Baseline
• Look for Large Registry Keys for hidden payloads

48.
So what do we get?
MalwareArchaeology.com
• WHAT Processes executed
• WHERE it executed from
• IP’s to enter into Log Management to see
WHO else opened the malware
• Details needed to remediate infection
• Details to improve your Active Defense!
• I did this in…
15 Minutes!